Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Pulumi to create Entra applications #2248

Open
wants to merge 12 commits into
base: develop
Choose a base branch
from
Open

Use Pulumi to create Entra applications #2248

wants to merge 12 commits into from

Conversation

jemrobinson
Copy link
Member

@jemrobinson jemrobinson commented Oct 22, 2024
edited
Loading

✅ Checklist

  • You have given your pull request a meaningful title (e.g. Enable foobar integration rather than 515 foobar).
  • You are targeting the appropriate branch. If you're not certain which one this is, it should be develop.
  • Your branch is up-to-date with the target branch (it probably was when you started, but it may have changed since then).

🚦 Depends on

n/a

⤴️ Summary

Replace creation of SRE Entra applications through the SDK with creation through pulumi-azuread.

Note we still need one SDK-created Entra application in the SHM which is used to authenticate pulumi-azuread.

The msgraph_permissions map looks up the GUIDs for all possible permissions. We could consider replacing this with a static lookup table that only covers the ones we need.

🌂 Related issues

Closes #2215

🔬 Tests

Tested on a fresh SRE deployment

@jemrobinson jemrobinson requested a review from a team as a code owner October 22, 2024 12:17
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 22, 2024
edited
Loading

Coverage report

Click to see where and how coverage changed

FileStatementsMissingCoverageCoverage
(new stmts)		Lines missing
  data_safe_haven/commands
  pulumi.py
  sre.py
  data_safe_haven/external/api
  credentials.py
  graph_api.py
  data_safe_haven/infrastructure
  project_manager.py
  data_safe_haven/infrastructure/components/composite
  __init__.py
  entra_application.py 23-30, 53, 78, 102-150
  data_safe_haven/infrastructure/components/dynamic
  __init__.py
  data_safe_haven/infrastructure/programs
  declarative_sre.py 156
  data_safe_haven/infrastructure/programs/sre
  entra.py 28-30, 43-47, 57-124
  identity.py 39-40
  remote_desktop.py 58-59
  data_safe_haven/provisioning
  sre_provisioning_manager.py
  data_safe_haven/types
  enums.py
Project Total  

This report was generated by python-coverage-comment-action

@jemrobinson jemrobinson changed the title Use Pulumi to create Entra applications WIP Use Pulumi to create Entra applications Oct 22, 2024
@jemrobinson jemrobinson marked this pull request as draft October 22, 2024 14:19
@jemrobinson jemrobinson force-pushed the 2215-create-entra-applications-with-pulumi branch from b76de51 to 4d7ff34 Compare October 23, 2024 19:30
@jemrobinson jemrobinson marked this pull request as ready for review October 23, 2024 21:44
@jemrobinson jemrobinson changed the title WIP Use Pulumi to create Entra applications Use Pulumi to create Entra applications Oct 23, 2024
@jemrobinson
🔧 Add GUID for Directory.ReadWrite.All permission
aa799fa
@jemrobinson
✨ Add pulumi-azuread EntraApplication component
b36f6bc
@jemrobinson
✨ Add support for web applications as well as desktop applications
63b0d03
@jemrobinson
♻️ Use composite EntraApplication component for identity server
9b872be
@jemrobinson
🚚 Consolidate remote desktop URL construction in Entra component
8562087
@jemrobinson
♻️ Use composite EntraApplication component for remote desktop server
acc7234
@jemrobinson
⚰️ Drop dynamic EntraApplication component
62c0bd7
@jemrobinson
🐛 Use client_id instead of id for Entra applications
244cd35
@jemrobinson
♻️ Add an EntraAppPermissionType enum to ensure that Role/Scope are u…
4fcffa7 
…sed consistently
@jemrobinson
🚚 Simplify import path for Entra components
7eb6fa0
@jemrobinson
⚰️ Drop requirements for GraphAPI everywhere in the SRE where they ar…
810d86e 
…e used to seed the pulumi-azuread provider
@jemrobinson jemrobinson force-pushed the 2215-create-entra-applications-with-pulumi branch from d211fe6 to 810d86e Compare October 25, 2024 09:22
@jemrobinson
👽 Do not replace azuread:clientId or azuread:tenantId in stack option…
3d5f21a 
…s since these set the provider information in the state file and cannot be changed
@jemrobinson jemrobinson force-pushed the 2215-create-entra-applications-with-pulumi branch from 59078dd to 3d5f21a Compare October 25, 2024 09:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@craddm craddm Awaiting requested review from craddm

@JimMadge JimMadge Awaiting requested review from JimMadge

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Create Entra applications with Pulumi
1 participant
@jemrobinson